The vulnerability chain
Check Point Research disclosed three CVEs in LangGraph, the open-source multi-agent orchestration framework maintained by LangChain. The vulnerabilities affect self-hosted deployments using either the SQLite or Redis checkpointer backend.
CVE-2025-67644 (CVSS 7.3): SQL injection in the SQLite checkpointer
LangGraph's SQLite checkpoint implementation passes metadata filter keys directly into SQL queries without sanitization. An attacker who can influence filter key values can inject arbitrary SQL, affecting langgraph-checkpoint-sqlite versions before 3.0.1. In a self-hosted deployment where user input or external data reaches the checkpointer's filter logic, this is exploitable without authentication if the checkpointer is exposed.
CVE-2026-28277 (CVSS 6.8): unsafe msgpack deserialization
LangGraph deserializes checkpoint data from storage using msgpack without adequate validation. An attacker who has written malicious data into the checkpoint store via the SQL injection in CVE-2025-67644 can trigger object reconstruction on checkpoint load, leading to remote code execution. The two vulnerabilities chain: inject via SQL, persist malicious payload, trigger on next checkpoint read. Affects langgraph versions before 1.0.10.
CVE-2026-27022 (CVSS 6.5): RediSearch query injection in the Redis checkpointer
The Redis checkpointer backend is separately vulnerable to query injection via unsanitized filter inputs into RediSearch. This allows access-control bypass in multi-tenant deployments. Affects @langchain/langgraph-checkpoint-redis versions before 1.0.1.
What is affected and what is not
Self-hosted LangGraph deployments using the SQLite or Redis checkpointer with user-controlled filter input are at risk for the SQL injection and deserialization chain. LangChain's managed LangSmith Deployment is not affected. The JavaScript/TypeScript Redis checkpointer is the scope of CVE-2026-27022.
How to fix it
Update immediately:
- Langgraph-checkpoint-sqlite to 3.0.1 (Python)
- Langgraph to 1.0.10 (Python)
- @langchain/langgraph-checkpoint-redis to 1.0.1 (JavaScript/TypeScript)
If an immediate update is not possible: review whether user-controlled data can reach filter key values in your checkpointer configuration. If so, restrict access to the checkpointer layer at the network level until you can patch.
The broader pattern
LangGraph's checkpointer is how AI agents persist conversation state, tool call results, and intermediate reasoning steps between turns. It is the memory layer of an autonomous agent. The fact that this layer had a SQL injection vulnerability leading to deserialization-based RCE is not a surprise from a vulnerability class perspective. It is the same category of flaw that has appeared in web application persistence layers since the early 2000s.
The reason it is notable is context: this flaw exists in infrastructure that autonomous AI agents use to store and retrieve their own operational state. An attacker who exploits this chain in a production agent deployment gets code execution on the server running the agent, access to whatever API keys and credentials the agent holds, and potentially the ability to manipulate the agent's memory to influence future behavior.
AI agent frameworks are now production infrastructure. They need to be in your patch management process, your vulnerability scanning scope, and your penetration testing engagement scope. The attack surface is no longer only the model.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you run AI agent infrastructure in production and want to discuss your security posture.